Remote syslog + directadmin problems.

Dixiesys

Verified User
Joined
Aug 2, 2003
Messages
137
Location
The South
So I added the syslogd option to directadmin.conf so it uses syslog instead of using /var/log/directadmin for logging.

My syslog is set to use a remote server for *.* for good measure I also added directadmin.* @REMOTEIP to the syslog.conf

Directadmin messages are not showing up at the remote server at all. All other log messages are, proftp, ssh, etc etc etc but nothing from directadmin at all.

The directadmin messages show up in the LOCAL log files on the server fine, but not the remote, but I know the remote syslog is working fine since all other messages from syslog on the local server show up there.

Anyone have any idea what I could possibly be missing here?
 
Hello,

If DA is still logging locally, then it's not actually "on" yet. When syslog with DA is enabled, the local logging stops.

My first guess is that there is a missing newline character after the "use_syslogd=1" option in the directadmin.conf. Put your cursor just after the "1" and press enter to add a newline character (essentially a blank line at the bottom of the directadmin.conf file)

All lines in the config files must end with a newline character or DA won't see them.

To confirm the setting in the config, type:
Code:
cd /usr/local/directadmin
./directadmin c | grep syslog
if it shows 1, then restart DA... maybe via brute force method to be sure the pid isn't out of sync:
Code:
cd /usr/local/directadmin
killall -9 directadmin
./directadmin d
John
 
Turns out this isn't a DA or syslog error, it was udp packets being dropped, see I pointed around 200 servers at one server to do remote logging, basically I added *.* @10.x.x.x to each of their syslog.conf's and then setup rsyslog with mysql logging on the remote server.

I hit the 128K buffer limit for udp real fast, and then the 1280K then the 8280K then the 82800K and when I tried an 828000K (or was it 8280000K) limit the server wouldn't boot.

So.... need much beefier machine to do remote logging for 200 servers or don't log *.* but get more picky about what I send remotely to the log server.

DA was logging locally as in it was logging TO the syslog logs fine but it turns out I'm dropping about 5 of 6 packets to the log server:

Udp:
6885470 packets received
7315 packets to unknown port received.
19052981 packet receive errors
4144963 packets sent

6.8M packets recvd 19M packets were not acknowledged. There we go, mystery solved.

# netstat -pan | grep 514
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 83885928 0 0.0.0.0:514 0.0.0.0:* 2391/rsyslogd
 
Last edited:
i would like to make a syslog server too, i was thinkin about that from some times.

Ive some quetion about that:

1. if you setup more da server to one syslog, how you can define differents logs file?
2. there is a way to save more then 5days backup as the default setting do? I would like to save last 30 days logs.
3. you have to configure each service to save on remote syslog or there is a way to configure local syslog to send logs to remote syslog?

Thanks in advance
 
1. if you setup more da server to one syslog, how you can define differents logs file?

The log entries on the remote server look like this:
2010-09-13T16:05:48.337763-04:00 10.2.12.37 kernel: printk: 3 messages suppressed.

With the ip of the originating server in the log line. I'm sure there's ways to split this up further but it works ok.

2. there is a way to save more then 5days backup as the default setting do? I would like to save last 30 days logs.

Change the log rotation schedule on the logging server
Code:
vi /etc/logrotate.conf
Start there.

3. you have to configure each service to save on remote syslog or there is a way to configure local syslog to send logs to remote syslog?

This is the part I'm playing with now. If you just do *.* @REMOTEIP in each server you send everything to the remote server. Problem is, with over 200 servers yeah, that totally KILLS the UDP network on the logging server and it quickly starts discarding over 90% of the packets it's sent.

Right now I only have auth.notice going to the log server so I can track ssh (and other) logins.

If directadmin would log LOGINS via this auth.* method I could stop right there I only want to store login data remotely so if a server is hacked they can't remove the logs that show when they got in, etc. <--HINT HINT!!
 
what about sync a log with cron? i mean, exim (for example) write log in local and a defined time syslog send those logs to the remote, doing this once at hour with 5min between services should bring load down... ofc.. just if is a valid idea.. im just supposing without any proof that is possible or not
 
what about sync a log with cron? i mean, exim (for example) write log in local and a defined time syslog send those logs to the remote, doing this once at hour with 5min between services should bring load down... ofc.. just if is a valid idea.. im just supposing without any proof that is possible or not

This would work but! if you get hacked the first command they're gonna issue is echo > /var/log/secure;echo > /var/log/wtmp and a few other goodies. So you'll lose the logs.

So for security purposes this is nearly worthless, for keeping logs it'll work fine.
 
btw thanks for the hint about logrotate bus is already at 4 weeks...and is ok for syslog and dmesg or other... but for example, exim conf have just 10 days... maybe there is a specific conf for exim to edit?
 
well you should just set those critical logs to be up2date on remote sys... and the "less important" ones in cron

should that work?
 
Back
Top